Jann Horn discovered[1] that the setuid-root mount.ecryptfs_private
helper would mount over any target directory that the user owns. This
included procfs. A user could mount over the /proc/ of a process
that they own and maliciously craft files in that mount point with the
intent to confuse privileged processes that interact with those files.
Once the crafted mount point was set up, the reporter used the newuidmap
program (also setuid-root) to escalate his privileges by confusing it
with the files in the crafted mount point.
This issue was assigned CVE-2016-1572.
The upstream fix[2] prevents the attack by creating a whitelist of mount
target filesystem types that mount.ecryptfs_private can safely
mount over.
[1] https://launchpad.net/bugs/1530566
[2] https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/870
Tyler